Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11275 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Tools to audit compliance
Can you recommend tools to audit compliance?
Answer:
Sure, you can try our Internal Audit toolkit (you can see a free version clicking on Free Demo tab) ISO 27001/ISO 22301 Internal Audit Toolkit : https://advisera.com/27001academy/iso-27001-22301-internal-audit-documentation-toolkit/
You can also develop your own Internal Audit checklist reading this article How to make an Internal Audit checklist for ISO 27001 / ISO 22301 : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/ -
Asset based or process based?
I need one clarification on risk assessment , risk treatment and SOA, for ISO27001:2013 is based on "Business process" or it is Asset base.
This is a confusion, some say's it is Asset base and some says as per new revision it is "business process base".
I need your audiences or related link for more information, on the said subject.
Answer:
ISO 27001:2013 is not based on asset and neither on business process, this mean that you are free to develop your methodology on the base that you want (asset or business process). Although generally is recommendable a risk methodology based on asset.
This article can be interesting for you What has changed in risk assessment in ISO 27001:2013 : https://advisera.com/27001academy/knowledgebase/what-has-changed-in-risk-assessment-in-iso-270012013/ -
SoA - Confidential?
For this reason, we do not include sensitive information in our SoA. It is all well and good the certificate showing a company is compliant, but without visibility of the SoA we don't know the scope of that compliance, and the associated state of their security. A business could have marked all the key elements as not applicable, and been compliant. -
Additional controls
We had a situation in the recent surveillance audit and appreciate your input here.
One of our company's division handles non-voice KPO and it was certified for ISO 27001:2013 standard during May 2015 (Certification Upgrade Audit). However now we added a chunk of Heathcare domain to our KPO division. We connect to the customer's machines through VPN and process the records (no data is copied to our local machines) and the KPO bay is 'no mobile - no paper' zone. However just to track the progress of records we process, the team lead types the client's name in an excel sheet maintained in local machine followed by start date , target date of completion and to whom it is assigned.
Would like to know if I need to add any HIPPA control to my SOA in these scenarios. Can we use client's name alone in local machine for tracking ? what is the HIPPA Control when work is outsourced ?
P.S: The MSA says a generic statement " All relevant HIPPA Controls are applicable" But didn't say explicitly anything.
Answer:
Regarding the compliant with ISO 27001:2013 it is not strictly necessary to implement additional controls, I mean, with the 114 controls of the Annex A of the standard is enough, although the implementation of additional controls for example controls related to HIPAA- can be a best practice.
But if HIPAA applies to your business, effectively you can include controls related to this standard in the SoA of ISO 27001, so in this case you can have an unique ISMS with the controls of both standards.
Regarding the use of clients name alone in local machine, it is related to personal data, and depending of your country, a specific regulation can be apply, but generally you can use this information applying security controls established by the regulation of your country. Anyway, ISO 27001:2013 has in the Annex A the control "A.18.1.4 Privacy and protection of personally identifiable information", for the protection of this type of data. This article about the regulations and laws of many countries related to information security can be interesting for you Laws and regulations on information security and business continuity : https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
Regarding your last question, I am sorry but I am not expert in HIPAA but from my point of view if you have an external provider who is working with information protected by HIPAA, this provider need to apply controls of this standard.
You can find more information of HIPAA on the official site of U.S. Department of Health & Human Services : https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html -
Costs of implementation of controls
Aabout risk methodology must be include cost of implementation of controls. do you have any idea? About that implementation
Answer:
I suppose that your question is related to the risk treatment plan, if so, it is not strictly necessary that you include costs related to the implementation of security controls (it is not established in the ISO 27001:2013), although can be a best practice.
Anyway, the cost of the implementation of controls can depend of various parameters, for example: costs of human resources (internal or external), costs of services (internal or external), costs of equipment, etc.
This article about the risk treatment plan can be interesting for you Risk Treatment Plan and risk treatment process Whats the difference? : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
And maybe can be useful for you ours templates for the risk treatment plan (you can see a free version clicking on Free Demo tab) Risk Treatment Plan : https://advisera.com/27001academy/documentation/risk-treatment-plan/ and also can be interesting for you our risk assessment and risk treatment methodology Risk Assessment and Risk Treatment Methodology : https://advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/ -
Roles in the ISMS
I wanna ask about the roles in ISO 27001 in the organization.
Answer:
The main role in an ISMS is the CISO, who can be someone of top management, but other roles can be people related to department involved in the scope of the ISMS: Head of IT Department and/or IT Expert, Head of Human Resources and/or experts, Head of Physical security and/or experts, Head of Legal Department and/or experts, etc. These roles can be described in different policies and procedures, so it is not necessary a central document with all this information.
By the way, have you read our article about roles and responsibilities of top management? Roles and responsibilities of top management in ISO 27001 and ISO 22301 : https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/ -
Formula for calculating RTO; using turnover
Answer:
The calculation of RTO/acceptable losses is best done when taking into account both financial and non-financial inputs. Non-financial could be the deterioration of the company image in the market, difficulty of catching up with the backlog of work, etc.
Regarding the financial turnover, you should calculate how much money did you lose if your company is not operational for e.g. 24 hours, and compare this to your company annual profit - then you should ask your executives which amount of loss is acceptable for them.
You'll find more examples in this article: How to implement business impact analys is (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
Information Security Risk Assessment
From my point of view you need to categorize assets. For example: Information (Customer information, payroll information, etc), Software (Navision, MS-SQL), Hardware (PCs, file servers, backups tapes). These assets are different (different type) and they have different threats/vulnerabilities, so it is important the distinction.
Regarding the point 2 of your approach, remember that you also need to consider the impact in case the integrity and availability of each asset.
Other comments: You need also to include assets like infrastructure, people, etc. Identify the asset owner, determine which risks are not acceptable, and the the calculation of the value of the assets is not necessary if you assess the impact. See this article "How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
Finally, this article can be interesting for you "How to handle Asset register (Asset inventory) according to ISO 27001" : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And maybe can be interesting for you these articles:
"How to write ISO 27001 risk assessment methodology" : https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
"How to assess consequences and likelihood in ISO 27001 risk analysis" : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment -
Determine RTO for a business process
When we determine the RTO for a business process, should we do it with the assumption of the critical periods or no? For example. payroll processing is not critical during the month, but only on the first day of the month when we do impact assessment, should we suppose the disaster will happen 1st of month?
When customizing BIA questionnaire for a bank.. what time frames (I mean 0-4 hrs / 8 - 12, etc) should I use?
Answer:
From my point of view, the best is to establish the RTO according the critical day (1st of month), on this way you will have a demanding RTO the rest of the month, but it not should be a problem for the organization. Another option from my point of view, is to have 2 RTO, one for the 1st and other for the rest of the month.
Regarding the customization of the BIA questionnaire, the time frames depend on each business, so in some cases it can be also in minutes: 1-15m, 15-30m, etc.
This article about the BIA can be interesting for you How to implement business impact analysis (BIA) according to ISO 22301 : ht tp://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/ -
12.1.2 Change management vs 14.2.2 System change control procedures
Can you explain details different between 12.1.2 and 14.2.2 and give few examples?
Answer:
Basically 12.1.2 is for changes related to operations or production (business processes, information processing facilities and systems that can affect to the information security), and 14.2.2 is for changes related to applications or development of software (systems within the development lifecycle).
Examples for 12.1.2: You have a system with Windows 8.1 and you want to update it to Windows 10. Your backup policy establishes a complete daily backup, and you change the frequency to 1 each week.
Examples for 14.2.2: You are developing an application, and there are changes in the requirements & design stage of the software lifecycle because you want to add more features to the application. Or during the codification your application connects to a database and you want to connect it to another database.
In accordance with ISO 27002 14.2.2 System change control procedures: Wherever practicable, application and operational change control proced ures should be integrated.
Finally, this article can be interesting for you How to manage changes in an ISMS according to ISO 27001 A.12.1.2 : https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/